cs 475 : lecture 5greenie/cs475/cs475-13-05.pdf · 2013. 2. 7. · cs 475 : lecture 5 security by...
TRANSCRIPT
-
CS 475 : Lecture 5Security by Isolation
Rachel GreenstadtFebruary 5, 2013
Wednesday, February 6, 2013
-
Reminders
• Project 1 due tonight - vampire rule• Midterm on Thursday• Sadia Afroz will be administering it
Wednesday, February 6, 2013
-
Exam 1
• Open book / open note• Not open device, open discussion• Draws on lectures, homeworks, exercises
and readings
Wednesday, February 6, 2013
-
Exam 1 Topics• Security and risk analysis• Security reviews• Security properties• Software vulnerabilities• Identify vulnerabilities
and how they can be exploited
• Software defenses• Isolation/virtualization• Stack-based defenses
• Code-correctness defenses
• Response-based defenses
• Usability and Psychology• Social engineering• Web infections• Economics of security• Security decision-
making
Wednesday, February 6, 2013
-
!"#$%&'!()*+,-.'/01'2-,3(.4'"-5+.6,7!"#$%&'"(&$")*+&*,+-./%#"$0++1++2&3.+4
3#..*".5/67,#.8.'7.,%
!"#$"%#&
8/549.(+01'(0':6.,+/;6
-
!"#$%&'!()*+,-.'/01'2-,3(.4'"-5+.6,7!"#$%&'"(&$")*+&*,+-./%#"$0++1++2&3.+4
3#..*".5/67,#.8.'7.,%
!"#$%&'%(&)$*#+&,#$&-./
89:,./5,6(0'(;'5()*+,/,6(0/
-
!"#$%&'!()*+,-.'/01'2-,3(.4'"-5+.6,7!"#$%&'"(&$")*+&*,+-./%#"$0++1++2&3.+4
3#..*".5/67,#.8.'7.,%
!"#$%&'()'*+',
Wednesday, February 6, 2013
-
!"#$%&'!()*+,-.'/01'2-,3(.4'"-5+.6,7!"#$%&'"(&$")*+&*,+-./%#"$0++1++2&3.+4
3#..*".5/67,#.8.'7.,%
!"#$%&'()*+),-./0#&-1#/-*2
8)+9/,6(0':',./0;9/,-'/99'60;,.+5,6(0;
?'@(5A;
B/./C6.,+/96D/,6(0':'.-E+6.-;'5A/0F-;',('G"
>=H?'I-0
2/,6C-'C6.,+/96D/,6(0':'.-E+6.-';/)-'/.5A6,-5,+.-?')(;,'60;,.+5,6(0;'-J-5+,-1'0/,6C-97
K=L/.-
G"MH-C-9'C6.,+/96D/,6(0':';/)-'G"?'6;(9/,-'.-;(+.5-;
K"-.C-.
Wednesday, February 6, 2013
-
!"#$%&'!()*+,-.'/01'2-,3(.4'"-5+.6,7!"#$%&'"(&$")*+&*,+-./%#"$0++1++2&3.+4
3#..*".5/67,#.8.'7.,%
!"#"$%&'()*$#"+&,$&),-%.*/,0*%,1$
8/9,-.':/.13/.-
2-3':/.13/.-'9+**(.,&';0,-
C9-9
!()*/,6D6
-
!"#$%&'!()*+,-.'/01'2-,3(.4'"-5+.6,7!"#$%&'"(&$")*+&*,+-./%#"$0++1++2&3.+4
3#..*".5/67,#.8.'7.,%
!"#$%&'"(&$")*+&*,+-./%#"$0
89(:/,-'/01'*.(,-5,'9(;,3/.-';.()')/:656(+9'*.(
-
!"#$%&'!()*+,-.'/01'2-,3(.4'"-5+.6,7!"#$%&'"(&$")*+&*,+-./%#"$0++1++2&3.+4
3#..*".5/67,#.8.'7.,%
!"#$%&'"(&$")*+,)#+-.)'&$")*
8.-9-0,60:';6.,+/-'/55-99'(=')/
-
!"#$%&'!()*+,-.'/01'2-,3(.4'"-5+.6,7!"#$%&'"(&$")*+&*,+-./%#"$0++1++2&3.+4
3#..*".5/67,#.8.'7.,%
!"#$%&'()'$*#+$,-./0$
89:!'*.(;-5,'/6)-'/??'5@6?1.-0'?/*,(*<
!/00(,'1-)/01'A'7-/.'(?1'5@6?1.-0'6.,+/?6D/,6(0
Wednesday, February 6, 2013
-
!"#$%&'!()*+,-.'/01'2-,3(.4'"-5+.6,7!"#$%&'"(&$")*+&*,+-./%#"$0++1++2&3.+45
3#..*".6/78,#.9.'8.,%
!"#$%&'()*+)*&,-.&/012*341
!+..-0,'/**865/,6(09':/;-'0('69(8/,6(0'
"(86,/6.-'5/0'/55-99'0-,3(.4./)9')+9,'.-F+-9,'/116,6(0/8'*-.)6996(09'D.()',:-'GHH
Wednesday, February 6, 2013
-
!"#$%&'!()*+,-.'/01'2-,3(.4'"-5+.6,7!"#$%&'"(&$")*+&*,+-./%#"$0++1++2&3.+44
3#..*".5/67,#.8.'7.,%
!"#$%&'()*+#,-*,
896:,60;'
-
!"#$%&'!()*+,-.'/01'2-,3(.4'"-5+.6,7!"#$%&'"(&$")*+&*,+-./%#"$0++1++2&3.+45
3#..*".6/78,#.9.'8.,%
!"#$%&'"(&$")*+$)+,-$-.$+/&'0-
8/07'*.(*-.,6-9'(:';6.,+/
-
!"#$%&'!()*+,-.'/01'2-,3(.4'"-5+.6,7!"#$%&'"(&$")*+&*,+-./%#"$0++1++2&3.+45
3#..*".6/78,#.9.'8.,%
!"#"$%$"&'()&*)+("',)-".$/%0"1%$"&')*&.)2%03%.4)54$46$"&'
865-9:',;-(.-)'-:'=-.:+:'.-@6:,-.:D'16:4'A>(54:'/01')-)(.7'*/@-:'(+,:61-
E0:,.+)-0,/,6(0'5/0';->*'FA+,'*(::6A>7'5(..+*,6A>-G
Wednesday, February 6, 2013
-
!"#$%&'!()*+,-.'/01'2-,3(.4'"-5+.6,7!"#$%&'"(&$")*+&*,+-./%#"$0++1++2&3.+45
3#..*".6/78,#.9.'8.,%
!"#$%&'()*')*+)&',-'.#/*&(($/
8(1-.0'96.+:-:'+:-'*(;7)(.*
-
!"#$%&'!()*+,-.'/01'2-,3(.4'"-5+.6,7!"#$%&'"(&$")*+&*,+-./%#"$0++1++2&3.+45
3#..*".6/78,#.9.'8.,%
!"##$#%&'"()*+)(,-).*/&0-(-1($*#&$#&(,-&2$3("45&641,$#-&748-3
8+96/0':6/0;'-,'/5=H--L'NK"-5+.-L'-,5G
Wednesday, February 6, 2013
-
!"#$%&'!()*+,-.'/01'2-,3(.4'"-5+.6,7!"#$%&'"(&$")*+&*,+-./%#"$0++1++2&3.+45
3#..*".6/78,#.9.'8.,%
!"#$%&'()*+,-+,$.
8(0-70-,9'/.-'+9-:+;':(.'0-,3(.4'9-5+.6,7
-
!"#$%&'!()*+,-.'/01'2-,3(.4'"-5+.6,7!"#$%&'"(&$")*+&*,+-./%#"$0++1++2&3.+45
3#..*".6/78,#.9.'8.,%
!"#$"#%&'()"*"+,-&./0-"1/-
3-8'9:;')-/060-(-
-
!"#$%&'!()*+,-.'/01'2-,3(.4'"-5+.6,7!"#$%&'"(&$")*+&*,+-./%#"$0++1++2&3.+45
3#..*".6/78,#.9.'8.,%
!"#$%&'#()*&+,-,./(01(234
89-06:'"-5+.6,7';7969
@A'1(30>(/19',B-'3-?*/C-
DE'9/E-F'9-01',('+9-.
G-9+>,9'*+,'60',B-'5/5B-
H>/3&'0(01-,-.)6069)
!"#$%&'#
()*
!+,-./0102)
$%&'#3%&45/64.
78
Wednesday, February 6, 2013
-
!"#$%&'!()*+,-.'/01'2-,3(.4'"-5+.6,7!"#$%&'"(&$")*+&*,+-./%#"$0++1++2&3.+45
3#..*".6/78,#.9.'8.,%
!"#$%&'"()*+,&'-)
2(,'/88'/11-1'9-5+.6,7:'0-3'(**(.,+06,6-9';(.')/83/.-
/00-8'/,,/549
?+@9'60'
-
!"#$%&'!()*+,-.'/01'2-,3(.4'"-5+.6,7!"#$%&'"(&$")*+&*,+-./%#"$0++1++2&3.+45
3#..*".6/78,#.9.'8.,%
!"#$%&'$%()*+$%,-**.
8-9-:(*-1';7''.((,'46,
A0>,-/1'(B'C6160D'7(+.'5(0,.(:'(B'/'5()*.()6>-1'>7>,-)'60',C-'4-.0-:E'60>-.,',C60'C7*-.96>(.';-:(3'6,
=+0>'/,'/'C6DC-.':-9-:'(B'*.696:-D-E'>('5/0'>,6::'5(0,.(:',C-')/5C60-
F/.1',('1-,-5,'36,C60',C-'G"
Wednesday, February 6, 2013
-
!"#$%&'!()*+,-.'/01'2-,3(.4'"-5+.6,7!"#$%&'"(&$")*+&*,+-./%#"$0++1++2&3.+45
3#..*".6/78,#.9.'8.,%
!"#$%&'(")*+,*-"+"#+*.&/+(01&2"3*40150/"
8-.7'169965+:,',(';61-',;/,''/'E6?'5(1-'E/>-
F/.1',('16>,60?+6>;'G?((1H'8II'9.()'GE/1H'8II
Wednesday, February 6, 2013
-
!"#$%&'!()*+,-.'/01'2-,3(.4'"-5+.6,7!"#$%&'"(&$")*+&*,+-./%#"$0++1++2&3.+44
3#..*".5/67,#.8.'7.,%
!"#$%&'())$*%+,,(-./
8(3'69(:/,-1'/.-';6.,+/:')/5
-
!"#$%&'!()*+,-.'/01'2-,3(.4'"-5+.6,7!"#$%&'"(&$")*+&*,+-./%#"$0++1++2&3.+45
3#..*".6/78,#.9.'8.,%
!"#"$%&'($%)#(*+,
896:+6,(+;'/,6(0'5?/0@-;';-5+.6,7'=/01;5/*-
ABB-5,;'9(,?'@((1'/01'6==
"-5+.-'C/+05?D
Wednesday, February 6, 2013
-
!"#$%&'!()*+,-.'/01'2-,3(.4'"-5+.6,7!"#$%&'"(&$")*+&*,+-./%#"$0++1++2&3.+45
3#..*".6/78,#.9.'8.,%
!"#$%&'("#'
86.,+/96:/,6(0';/
-
Next Up : Cryptography
Wednesday, February 6, 2013
-
Cryptography• Symmetric key cryptography (secret key crypto): sender and receiver keys identical• Asymmetric key cryptography (public key crypto): encryption key public, decryption key secret (private)
Wednesday, February 6, 2013
-
Vernam CiphersIntro to Project 2
• XOR cipher - encryption and decryption the same, Block of data XOR key
• Vernam’s cipher used a message with a paper tape loop that read off the key
• More modern versions use a pseudorandom number generator (stream cipher)
• One-time pad - If key perfectly random AND only used once, then perfect secrecy is assured
• Drawbacks?
Wednesday, February 6, 2013
-
Reusing one-time pads
=
=
K1M1 E1
M2 K1 E2
E1 E2
=
Wednesday, February 6, 2013